A ransomware attack on MetroHealth vendor compromized several patient’s health data and other pharmacies was also affected. Read on to know more…
A ransomware attack on a Texas-based company earlier this year may have exposed data of an unknown number of MetroHealth patients. The breach was initially revealed in February, according to CaptureRx, a vendor for MetroHealth that helps hospitals manage their 340b drug pricing programs. The data of more than 1.6 million patients, including first and last names, dates of birth, and prescriptions, was compromised.
CaptureRx said in letters to affected patients that it became aware of the suspicious activity and confirmed the breach approximately two weeks after it happened on Feb. 6, 2021. In late March, the company launched an investigation and began notifying clients about the breach. Dozens of hospital systems, as well as national pharmacy and grocery chains, are among CaptureRx’s clients.
The letter reads, “As part of CaptureRx’s ongoing commitment to the security of information, all policies and procedures are being reviewed and enhanced and additional workforce training is being conducted to reduce the likelihood of a similar future event,”
There were no specifics that was provided. The number of MetroHealth patients whose critical data was compromised is unknown, however the attack did not disrupt MetroHealth systems or impact the patient care, according to a CaptureRx statement sent to News 5. According to a hospital spokesperson, the health system is still doing business with CaptureRx.
Data Breach
MetroHealth officials issued an statement that the data breach at CaptureRx was caused due to a security vulnerability in the company’s build server, which is hosted by a third party. The hackers were given system’s credentials to the system and access the server. With this access, the hackers were able to steal sensitive health information from over a million clients, if not more.
Commenting on the data breach, Alex Hamerstone, a leading cyber security expert from TrustedSec, a Strongsville-based information security consulting firm, said “The challenge is that everything is getting more online and more accessible, which means there is a greater attack surface. There are more targets,”
“It really is much different than having your bank account data stolen or your credit card data stolen. Obviously, that is very impactful and you never want that to happen but it is much different when it’s your personal details. You start talking about what if somebody accesses your text messages and your medical history. Those are things that are much more private than a 16 digit credit card number. It can be life changing.”
Health-care data, according to Hamerstone, is often more valuable to hackers. When that data is stolen, the victims have fewer options than when their financial information is stolen. Furthermore, according to Hamerstone, consumers have less options for preventing their health-care data from being compromised.
Hamerstone said “When you share that data with someone else like a hospital, it’s only as secure as they keep it,”
“Health data is more valuable than credit card data. One of the reasons is it is used in fraud. It allows fraudulent organization to create profiles and bill insurance companies, the government, whatever, and get paid on it.”
According to Hamerstone, the CaptureRx data breach underlines the worrisome fact that hackers target not only huge organizations, but also the companies with which they do business.
“It used to be a lot of these systems. We would think they had walls around them. Now, they are much more open in the sense of data sharing and connection and things like that. It’s also much more common in that companies are outsourcing things,” Hamerstone said. “It’s what we call third, fourth and fifth party risk. The companies that you use and the companies that they use can present risk. You’re not just relying on the company you’re dealing with… you’re relying on their vendor selection. The services they use, the companies they use, etc. It really creates a much larger attack surface and more opportunities.”
Mitigation
CaptureRx recommends consumers affected by the incident to regularly monitor their accounts and verify their credit reports in a letter issued to them. Consumers are entitled to one free credit report from each of the three major credit reporting bureaus each year under federal law.
Consumers can also post an initial or detailed fraud alert on their credit, requiring businesses to take further steps to verify a consumer’s identity before issuing new credit. Consumers can also issue a freeze on their credit report, which prevents any information from being added to the credit report without their permission.